You can download the latest supported phone or handset firmware for 3CX from here: https://www.3cx.com/support/phone-firmwares/Follow @aid_in_it
3CX Version 14 Service Pack 3 seems to include/use very old and insecure versions of OpenSSL 1.0.1e (11th February 2013) and 1.0.1g (5th June 2014).
More info about the locations is below:
C:\Program Files\3CX Phone System\Instance1\Bin\libeay32.dll
C:\Program Files\3CX Phone System\Instance1\Bin\ssleay32.dll
1.0.1g (5 Jun 2014)
1.0.1e (11 Feb 2013)
OpenSSL 1.0.1t is the latest release and resolves a number of serious vulnerabilities
This means that 3CX V14 Service Pack 3 is likely to be vulnerable to all of the documented vulnerabilities prior to the 1.0.1t OpenSSL release. Using an IPS firewall may help to reduce the risk to your system until an updated version of OpenSSL is integrated into 3CX.Follow @aid_in_it
RC4 cipher suite is still enabled in Abyss Web Server X2 (Version 188.8.131.52) that is supplied with 3CX Version 14 Service Pack 3.
3CX Version 14 Service Pack 3 seems to include/use a very old and insecure PostgreSQL version 9.2.4 (released 04-04-2013).